hostage/thesis_report/Thesis_Report.tex~

\documentclass[article,msc=informatik,type=msc,colorback,accentcolor=tud9c]{tudthesis}
\usepackage{ngerman}

\newcommand{\getmydate}{%
  \ifcase\month%
    \or Januar\or Februar\or M\"arz%
    \or April\or Mai\or Juni\or Juli%
    \or August\or September\or Oktober%
    \or November\or Dezember%
  \fi\ \number\year%
}

\begin{document}
  \thesistitle{A Mobile Honeypot for Industrial Control Systems }
    {}
  \author{Shreyas Srinivasa}
  \birthplace{Bangalore, India}
  \referee{Emmanouil Vasilomanolakis}{}
  \department{Fachbereich Informatik}
  \group{Telekooperation \\ Prof. Dr. Max M{\"u}hlh{\"a}user}
  \dateofexam
  \tuprints{12345}
  \makethesistitle
         
  
  \section{Introduction}
   Mobile devices today have better communication capabilities. They enable dynamic and faster communication. Users are able to access internet and web applications through their smart phones anywhere, anytime. Smarter applications offer better social interaction and online presence to the users. This creates an urge to stay connected and be online seamlessly to  be updated.Public infrastructures like airports, coffee shops, shopping malls  provide free access to their networks to its customers to facilitate their connectivity and of course, for some information exchange. With free access to networks, attackers are now concentrating on the possibility of exploiting users in the same network. Securing open networks is very challenging and complex. It is however possible to detect these attacks. A pro-active approach is a better way for detecting the attacks. 
   
   Huge industries like nuclear power plants, water treatment and distribution plants, manufacturing plants have many complex critical machines and require constant monitoring. They rely on process automation on these machines and are dependent on sensors for making this automation possible. This sensor-to-machine-to-human communication and automation is achieved with the help of PLCs\cite{Webb:1998:PLC:551899} or Programmable Logic Controllers. This communication is usually not secure and is open to attacks. As this hardware has limited computing resources, encryption of data is an expensive option. There have been many attacks detected over the years on SCADA\footnote{http://www.schneider-electric.com/solutions/ww/en/med/20340568/application/pdf/1485se-whitepaper-letter-scadaoverview-v005.pdf} ICS, most notable being STUXNET\cite{Langner:2011:SDC:1990763.1990881}. Securing and detecting attacks in these networks is necessary as it is responsible for communication in critical machines. Failure of such machines could cause a devastation to the environment and human life because of the wide spread use of PLCs in infrastructures like airports, coffee shops and also in prisons. 
   
   
   There are two approaches for detection of attacks. One is by using a NIDS\cite{1377213} (Network Intrusion Detection System ) and the other is by using Honeypot\cite{Provos:2004:VHF:1251375.1251376} . NIDS are installed on the server machines or hosts. The requests are scanned and analyzed for exploit-forged packets before they are sent to the server.  NIDS are suitable for systems with high resources. The Honeypot approach, rather could be used where there are lesser resources. The idea behind Honeypot, is to pose as vulnerable hosts connected to the network, which could be tempting for exploits, thereby trapping the attacker by collecting as much information possible to backtrack, or good enough to detect that the network is under attack. 
   
   \subsection{Motivation}
   
   The applicability of a Honeypot in a mobile environment is prodigious, considering the public network infrastructure services offered. Network connectivity has become more of a necessity than a luxury, as technology is continuously evolving. Better services, data management and accessibility draw a lot of users having online space and in the need to stay connected. This need is rendered by some businesses and public infrastructure like airports, malls and cafeterias. With smart phones, people have the power to stay connected and do the majority of the tasks efficiently at their fingertips. Mobile devices today are considered personal devices because of the capability to store, share and process private data. This data is valuable and private to a user and has to be secured. Connecting to public networks can result in lot of vulnerabilities, as there is not always security considered in public networks. With the help of scripts crafted to exploit these vulnerabilities, an attacker can exploit users personal data.
   
   
   Attacks are not limited to the above protocols. Airports, malls, enterprise hotels and huge industries use PLCs\cite{Webb:1998:PLC:551899} (Programmable Logic Controllers) as for many applications such as conveyor belts, elevators, lighting control systems, fire and  safety detection systems in order to automate the tasks quickly without human intervention. PLCs can be programmed logically to specify the methods to be called, based on inputs provided by sensors.  SCADA (Supervisory Control and Data Acquisition) is a system operating with coded signals over the communication channels so as to provide control of remote equipment like PLCs. 
        
   A study made by DELL\cite{DELLSecurityPoster2015} showed that the attacks on Industrial components like PLCs doubled over the years, and even more dangerously, such incidents going unreported. The research found a 100 percent increase in attacks against industrial control systems like SCADA.
        
   Figure 1 gives an understanding of the Key SCADA Attack Methods. It shows that about half of the total attacks were based on improper assignment on bounds of a memory buffer, improper input invalidation, vulnerabilities in credentials management. These vulnerabilities pose as a huge threat to ICS. Figure 2 represents the number of attacks performed over the months. There is a steep increase in the number of attacks performed over the months, expressing the need to safeguard ICS systems and also detect these attacks.
        
        \begin{figure}[ht]
        \centering
        \includegraphics[scale=0.25]{scadamethods}
        \caption[SCADA Attack Types]{\label{f:SCADA Attack}SCADA attack methods\cite{DELLSecurityPoster2015}}
        \end{figure}
        
         
        \begin{figure}[ht]
           \centering
           \includegraphics[scale=0.35]{scadahits}
           \caption[SCADA Hits]{\label{f:SCADA Hits}SCADA hits on a monthly basis.\cite{DELLSecurityPoster2015}}
           \end{figure} 
           
   The majority of industrial systems today use SCADA for controlling and automating their processes.
   Securing these devices is as much important like any other hosts in the network because these devices are programmable and could affect the normal automatized working. STUXNET\cite{Langner:2011:SDC:1990763.1990881}, a computer worm discovered in 2010 was designed to attack industrial programmable logic controllers (PLCs). STUXNET reportedly compromised PLCs in power plant at Iran. The design and architecture of STUXNET is not domain-specific and it could be forged for exploiting modern SCADA and PLC systems.  
  
   \subsection{Contribution}
      
   This theses aims at identifying and detecting the SCADA attacks using a low interaction mobile Honeypot platform using which a  industrial master and slave profiiles will be simualted. An analysis of the communication paradigm and the security loopholes in a SCADA ICS system is made, to simulate the services offered by the system.     
   The thesis also concentrates on contributing to many security related research questions of SCADA ICS systems like identifying the targets, analyzing the malware, assessing the consequences and defending ICS systems.
    
   
   \subsection{Outline}
      
   This thesis topic also aims at adding more capabilities to detect attacks through different malware, mainly focussing on simulating industrial level SCADA PLC to determine malware attacks on them. The rest of the expose is structured as follows. Section 2 will specify the requirements to develop the protocol emulation for mobile Honeypot. In Section 3, related work in the area of mobile Honeypot and SCADA Honeypot are discussed. Section 4 describes a proposed system for a mobile Honeypot for ICS systems and Section 5 concludes with a time plan for the thesis. 
     
       
   \section{Background - ICS SCADA and Mobile Honeypots}
    
   ICS (Industrial Control Systems) form a dominant portion in present day industries. Strange, yet astonishing, the fact that ICS is also a part of everyday life is also true. ICS components include actuators, sensors, networking devices, controlling systems and PLC's . The sensors form a major part of ICS as they provide continuous feed of critical information which is used to automate and control other systems. The other important component is the PLC. This interface allows a programmer to implement a logic to automate the systems based on the data received from sensors. There are a few different kinds of ICS. One of the major types is SCADA (Supervisory control and data acquisition) which is deployed on geographically widespread and controlled using a central location. Examples to this type include nuclear power plants, water distribution , power distribution where there is a need constant monitoring and critical automation. SCADA systems are mainly deployed where is a need for alarm systems. The other kind of ICS system is the Distributed Control Systems (DCS). On the contrary these systems are not centralized, but distributed across a network. We shall focus more on SCADA ICS systems as they are being deployed in major infrastructures today.
    
   Infrastructures discussed above have a lot of components and devices which need constant communication between them. // Complete this para


\subsection{ICS SCADA}

SCADA is an industrial automation control system at the core of many indutries today including Energy, Oil and Gas, power, Water and Recycling , Manufacturing and many more. They are used by both private sector industries and the public sector service providers. It provides the benefit of simple configuration and usability. 

The basic architecture of SCADA involves communication of information from sensors or manual inputs to PLCs or RTUs. These PLCs process the information as per the logic deployed in them and then forward this information to workstations/servers running SCADA applications. Figure 3 describes the basic architecture of a SCADA system.

 \begin{figure}[ht]
        \centering
        \includegraphics[scale=0.75]{SCADA-Architecture}
        \caption[SCADA Architecture]{\label{f:SCADA Attack}SCADA Architecture }
        \end{figure}

SCADA systems involve control components and network components. The following is a list of control components in SCADA:

\begin{itemize}


\item\textbf{Remote Terminal Units (RTU):}These units connect to sensors in the process and convert sensor signals to digital data. They have telemetry hardware capable of sending digital data to the supervisory system, as well as receiving digital commands from the supervisory system. RTUs often have embedded control capabilities in order to accomplish boolean logic operations.

\item\textbf{Programmable logic controller (PLCs):} These devices connect to sensors in the process and convert sensor signals to digital data. PLCs have more sophisticated embedded control capabilities than RTUs. PLCs do not have telemetry hardware, although this functionality is typically installed alongside them. PLCs are sometimes used in place of RTUs as field devices because they are more economical, versatile, flexible, and configurable.

\item\textbf{Telemetry system:} It is typically used to connect PLCs and RTUs with control centers, data warehouses, and the enterprise. Examples of wired telemetry media used in SCADA systems include leased telephone lines and WAN circuits. Examples of wireless telemetry media used in SCADA systems include satellite (VSAT), licensed and unlicensed radio, cellular and microwave.

\item\textbf{Data and Control Server:}A data acquisition server is a software service which uses industrial protocols to connect software services, via telemetry, with field devices such as RTUs and PLCs. It allows clients to access data from these field devices using standard protocols.

\item\textbf{Human Machine Interface (HMI):} It is the apparatus or device which presents processed data to a human operator, and through this, the human operator monitors and interacts with the process. The HMI is a client that requests data from a data acquisition server.

\item\textbf{Historian software:} A software service which accumulates time-stamped data, boolean events, and boolean alarms in a database which can be queried or used to populate graphic trends in the HMI. The historian is a client that requests data from a data acquisition server.

\end{itemize}
Different network characteristics exist for every layer within the control systems. The network topologies vary by vendors or manufacturers and also on different implementations. Modern day SCADA systems are open to Internet communication and enterprise integration can be achieved. The control networks work in hand with the corporate enterprise networks to better manage and control the systems  from outside networks. The following are the major network components of an ICS network:

\begin{itemize}


\item\textbf{Fieldbus Network:} The fieldbus network links sensors and other devices to a PLC or other controller. Use of fieldbus technologies eliminates the need for point-to-point wiring between the controller and each device. The devices communicate with the fieldbus controller using a variety of protocols. The messages sent between the sensors and the controller uniquely identify each of the sensors.

\item\textbf{Control Network:} The control network connects the supervisory control level to lower-level control modules.

\item\textbf{Communications Routers:} A router is a communication device that transfers messages between two networks. Common uses for routers include connecting a LAN to a WAN, and connecting MTUs and RTUs to a long-distance network medium for SCADA communication.

\end{itemize}

SCADA applications help in monitoring, analysing the data  to help the device controllers and operators work efficiently. Modern SCADA systems allow real time data from the plants to be accessed from anywhere in the world. This also means that it provides attackers an opportunity to exploit this data and availability. Exploiting SCADA systems can cause catastrophic as it may result in huge damage to the environment and people in the plant. We try to identify the attacks and exploits that could be made and detect them using a mobile Honeypot.

\subsection{Security Perspective of SCADA ICS}

ICS SCADA systems are highly distributed. They are used to control and manage geographically dispersed plants, often scattered over thousands of kilometers. In these areas centralized data acquisition and control are critical to system operation. They are applicable in distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines and electrical power grids.on
systems. A SCADA control center provides centralized monitoring and control for field sites over long-distance communications networks, including monitoring alarms and processing status data. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as field devices. Field devices
control local operations such as opening and closing valves and breakers, collecting data from sensor systems, and monitoring the local environment for alarm conditions. 

The control center is responsible for managing and controlling the devices at the field site and thus there is a need to have a critical communication network between them. This is usually established through the MODBUS TCP/IP over the Ethernet. It is usually advised to place the SCADA devices on a network that is not physically connected to any other networks (cite http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf). 

// Refer to paper Plausible Solution to SCADA security for more info 
    
     
\subsection{Honeypots}


A Honeypot is a decoy server or a system in a network which is closely monitored for adversaries. It is also defined as:
\textit{A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource}. (//cite https://www.acsac.org/2003/papers/spitzner.pdf). They are mostly deployed inside firewalls, but they could be deployed in any part of the network. It is designed to be a system with vulnerabilities and services that are offered by a real target system. Any attempt to connect to these systems could be considered as an attack. All the activities are logged and further traced. The general idea is that once an adversary detects a vulnerable system and tries to attack it, he would come back with more sophisticated attacks. The initial part of discovery and knowing the general services and loopholes is called system social engineering.
Honeypots provide are active monitoring components that wait for attacks and respond to the attacks by luring the attacker to pursue more.

There are certain main functionalities that the Honeypots must possess in order to perform their main functionality. 

\begin{enumerate}
\item Honeypots must simulate the system that they are intend to focus on. This gives the attacker a feeling of approaching a real system. The Honeypot may simulate the complete functionality of the system or just the services offered by the system. 

\item A proper response mechanism which keeps the attacker engaged to the Honeypot. This makes better logging of the attack and also provides more data to analyze the attacks. 

\item It mainly has three perspectives. Firstly, an attacker perspective, by posing as a vulnerable system; second an administrator who can log identify and log the attacks made by the attacker and third, being able to present and analyse the attacks logged by the administrator. 

\item Honeypots must not induce additional load on the infrastructure. Honeypots must be designed to be lightweight and having no influence on the production systems. 

\item Honeypots are basically exposed to exploits, threats and malware. It is very important to see that this data is not leaked through the network which can later infect other systems in the network.

\item Based on the previous condition, Honeypots must be robust to withstand the attacks and exploits and not fail.

\end{enumerate}


It is very clear are valued because of the interaction mechanism that they provide for any communication request. They can be used to study and gather exploits, malware and threats in an early attack phase. There are many advantages that one could consider for using Honeypots as an additional security monitor. There are various advantages of Honeypots:

\begin{itemize}

\item\textbf {Effective Data Sets:} Honeypot collects data only when there is a communication requested with it. The data collected at Honeypots may not be immense but is good enough to analyze and detect attacks. The logs provide information about the attacker IP, time of attack and protocol used to carry out the attack. This makes lesser false positives.

\item\textbf {Reduced False Positives:} Among other security approaches like IDS and firewalls, false positives are quite common. The biggest challenge is to reduce false positives. Honeypots reduce false positives or could be designed to reduce false positives. Any communication with the Honeypot is unauthorized. This makes Honeypots efficient in detecting attacks.

\item\textbf {Catching False Negatives:} Honeypots have advantages over signature based detection systems. Signature based systems do not categorize unknown attacks. They rely on a signature system to be updated on their local database to identify and detect uknown attacks. The probability of a detecting a new exploit is low. Honeypots detect all attacks irrespective of their signatures, hereby increasing the possibility of detecting new attacks. 

\item\textbf {Encrypted Communication:} The current standards in Transport layer includes using encrypted TLS communiction between nodes. Some attacks fail to detect because of the encrypted data and communication. All enterprise employ secure protocols like SSH,IPSec, HTTPS, TLS in their infrastructure. This may cause problems in detecting exploits and analyzing the attacks later. Honeypots solve this issue as they are end points in the communication. The hosts directly interact with the node and hence all the traffic and data can be decrypted and analysed later.

\item\textbf{Compatibility to new architecture:} Technology evolves every moment. It is very essential to consider future compatibility with newer standards and technology. Most of modern day IDS or firewalls are not compatible with IPv6 which promises to be the next standard on Internet addressing. Honeypots can be made compatible to newer standards and technology as they are not mediators or devices but act as end points. However, devices could be simulated by Honeypots. 

\item\textbf{Flexibility:} Honeypots can be deployed locally or open to the external network. Honeypots could be deployed on any environments based on the requirements. Honeypots could be used to simulate any software, hardware, servers, workstations and devices. 

\item\textbf{Minimal Resource Consumption:} Honeypots can run on low resource machines as they are just simulations and are may not depict full functionality of the system simulated. Honeypots today can run on smartphones as they possess the required resources which are good enough to run a Honeypot.

\end{itemize}
There has been extensive research going on in the field of Honeypots. This section describes related works on Honeypots. 


  
\subsubsection {Types of Honeypots }

Honeypots can be classified into two types based on the ability of the attacker to interact with the application or services. They can be categorized to High-Interaction Honeypots and Low-Interaction Honeypots. This classification is mainly based on the Honeypot's interaction with the attackers. Highn Interaction Honeypots typically composed of the actual device, its operating system and all the applications that run on that device. In short, the exact machine is used as a Honeypot with all its services. This provides better interaction as we are using the device itself as a Honeypot. There are also better chances that based on the vulnerability known, all the exploits work on the device. The main advantage of such Honeypots is that it is the machine itself that is being exposed and has greater chances of attracting attackers. The disadvantage would be that if the Honeypot is completely compromised, then it has to be rebuilt in order to log other attacks. The validity of such Honeypots is not guaranteed. 
A low interaction honeypot on the other hand is a software based or simulation based Honeypot approach. The system to be subjected to attack is simulated by the Honeypot along with its main services. The Honeypot can run on any system, for example it can run on a Linux machine and simulate a Honeypot for a Windows IIS server. It can simulate or mimic the network stack and the operating system of the targetted system. All connections and communication with this device is logged. The advantage of low interaction Honeypots is that they are completely flexible and easy to maintain. Low interaction Honeypots are also likely not to get compromised as they just mimic the services or in short the basic communication mechanism. It is on the researcher to design these Honeypots accurately to get productive results.


\subsubsection  {Honeynets}

Honeynets are a networked collection of honeypots that look like common network services and servers. (Provos and Holz, Virtual Honeypots: From Botnet Tracking to Intrusion Detection , 2008). 
It could be a collection of Honeypots depicting as a Domain Controller, web server, application server, file server and so on which provide a facade of a enterprise network. Honeynets
usually consist  of high -interaction honeypots, low - interaction honeypots, or a combination of both. Using high interaction Honeypots only for this approach would be more expensive.
Honeynets are placed behind a Honeywall , which acts as a bridge to the honeynet. It includes network monitoring, packet capture, and IDS capabilities.



\subsubsection  {Mobile Honeypots}

Modern day smart phones are context sensitive and collect a lot of data from the users perspective. This data is both private and critical to the user. There is a need to protect this data. The phones also have enormous computing resources in terms of hardware and also efficiently built software kernels that are capable of processing huge data. We are also able to stay online every moment and can connect to various hotspots providing us Internet facilities to stay connected. This also is huge security concern as the networks and the apps that are deployed on our phones may not be secure and leak sensitive data with respect to the user. 

The power of mobility, computing resources, usability and flexibility make Mobile devices a good platform to host low interaction Honeypots.
Such capabilities make it possible to host a low interaction Honeypot on the devices.Some researchers believe that Mobile Honeypots are still not well defined and could be used to define either a probe deployed on a mobile device or on a mobile operating system. It can also be defined for a system that is controlled in the network of mobile devices. (http://conferences.sigcomm.org/sigcomm/2012/paper/sigcomm/p305.pdf)

Early research on Mobile Honeypots focused only on  Bluetooth communications[5,17]. The continuous advances in the field of smartphone technology has enabled better opportunities towards Honeypot research on smart phones. 

	//Write about Mobile Honeypots
There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a Honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.

\begin{itemize}

\item\textbf{HoneyDroid}(cite HoneyDroid) HoneyDroid is a smartphone Honeypot for Android operating system which claims to be the first ever Honeypot in the Mobile Honeypots category which makes use of smart phone hardware to host the Honeypot.It is built on a Linux micro-kernel and is customized to impose restrictions on the Android operating system for monitoring its activities. The architecture is comprised of a Event Monitor, to monitor active connection requests and also system calls in the kernel level; Filters to mitigate any attempts of malware trying to affect the system and a log software to log all the activities. This Honeypot is also focused on detecting attacks from apps installed in the device which try to infiltrate the kernel for gaining unauthorized access. The system also involves virtualization which enables simulation of various services. 
This could also result in an overhead, hereby causing a signature which can be detected by attackers and malware. However, the direction of HoneyDroid was to introduce the concept of Mobile Honeypots. 


\item\textbf{Cellpot:} (cite Cellpot) Cellpot concentrates on detection and defence of attacks in the cellular network. It comprises of a collection of Honeypots, or Honeynets that are deployed on mobile phones. Cellpot consists of applications like SMS spam prevention, mobile phone theft and malware protection. The Honeypot mainly is concentrated towards Small Cells(cite from paper), wireless infrastructure deployed in customers site and operated in licensed bands. The main use of Small cells is to support the need of coverage and capacity. These points are a good place to deploy the Honeypots to detect malware and other intrusion attacks. Denial Of Service is the most common category of attack in the area of cellular networks, and with the help of few devices,this attack can be executed successfully. Introducing a Honeypot approach for detecting such attacks at small cells is a feasible solution.The concept of Cellpot is to detect, collect intelligence and
mitigate threats against the cellular network directly on the base stations. Further, it has the ability to
deploy countermeasures against detected threats, and enables
a wide area of applications. It provides a good platform
for mobile network operators to deploy and run additional
applications to reduce signaling.

\item\textbf{Nomadic Honeypots:}

\item\textbf{HosTaGe:}\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a Mobile Honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified. 


\end{itemize}       
      
            
   \subsection{SCADA Honeypots}

	Analysing the security concerns of ICS SCADA systems and the advantages of Honeypots, a solution could be implemented to combine the needs and features. SCADA Honeypots could be deployed in ICS  Networks for monitoring and analysis. They act as an additional line of defense providing warnings and notifications for attacks. Designing a SCADA Honeypot involves studying the architecture of the SCADA systems and the components, protocols involved in communication and processing of data. Further, as discussed before, SCADA networks comprise of hardware devices like PLCs and RTUs which play a very critical role in processing and communication of data. SCADA systems rely on PLCs for data processing. If PLCs are targeted by attackers to compromise their working, it could bring down the entire plant, hereby resulting in a huge catastrophe. Modern day PLCs offer TCP/IP communication which can used to control and manage the data flow between other PLCs and control servers. On investigating attacks that have occured in the past, STUXNET a malware, was found to be injected in a Nuclear Enrichment Facility in Iran. STUXNET was found to be injected into the network using a USB drive to one of the host control systems. The malware spread from that system to other systems through intranet and remained hidden from operators. STUXNET was able to interfere with the working of a PLC that controlled centrifuges and managed to compromise the conditions on which the PLC depends. It was only by the observation of an operator that the PLC was causing the centrifuges to run more fast than usual was detected. But nobody could determine what caused the centrifuges run abnormally.  

Detecting such kinds of attacks is not only complex but also very necessary. Such kind of attacks cannot be detected neither by signature based systems, nor by firewalls. Some organisations took initiative to design Honeypots for SCADA systems. They are elaborated in futher secctions. 


\subsubsection {SCADA Honeynet}
SCADA Honeynet Project\cite{5198796} is a project aimed at building Honeypots for industrial networks. It was the theb first of the type. SCADA Honeynet was designed to simulate the PLCs and detect attacks performed on them.The short-term goal of the project was to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures. It provided scriptable industrial protocol simulators to test actual protocol implementation. The design was a ingration of stack level, protocol level, application level and hardware level. The Honeypot was carefully designed to cover all the services offered by the SCADA systems, including the networking devices like routers and a direct serial device.
	
\subsubsection {Trend Micro SCADA Honeypot}

Trend Micro a global security software company conducted an experiment\footnote{http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf} to detect attacks on SCADA by setting up 12 Honeypots in 8 countries. The Honeypots camouflaged a municipal water control system based on SCADA that was connected to the internet. Attacks were basically focussed on meddling with the pump system.  The objective of this experiment is to assess who/what is attacking Internet-facing ICS/SCADA(Industrial Control Systems) devices and why. In addition, the research set out to identify if the attacks performed on these systems were targeted, by whom, and for what purpose.
         
  The Honeypot architecture design used a combination of high-interaction and pure-production Honeypots. A total of three Honeypots were created to ensure as much of the target surface as possible. All three Honeypots were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States. 

\subsubsection  {Digital Bond}

Digital Bond is a security research and consulting firm created a Honeypott system that comprised of two virtual machines. It is open source. One of the virtual machine acts as a PLC Honeypot and the other is a monitoring engine that logs all the traffic information. This system is also called a Honeywall. Honeywalls can also be used to monitor High Interaction PLC Honeypots. The Honeywall comprises of Snort IDS and signatures with respect to PLC. The services that are simulated are FTP, TELNET, HTTP, SNMP and MODBUS TCP.



\subsubsection {Conpot}
Conpot\footnote{http://conpot.org/} is a low interactive server side ICS Honeypot designed to be easy to deploy, modify and extend. It provides a range of common industrial control protocols capable of emulating complex infrastructures to convince an adversary that he just found a huge industrial complex.To improve the deceptive capabilities it also provides the possibility to server a custom human machine interface to increase the Honeypots attack surface. The default configuration of Conpot simulates a basic Siemens SIMATIC S7-200 PLC with an input/output module.
	

   
\subsection{MODBUS}

MODBUS denoted IETF RFC 2026 is a serial communications protocol published by Modicon for using in its PLCs. It is now a standard that connects industrial devices together. The basic configuration involves connecting a SCADA supervisory control system to a PLC or RTU. Many of the data types are named from its use in driving relays: a single-bit physical output is called a coil, and a single-bit physical input is called a discrete input or a contact. The device requesting the information is called the Modbus Master and the devices supplying information are Modbus Slaves. In a standard Modbus network, there is one Master and up to 247 Slaves, each with a unique Slave Address from 1 to 247. The Master can also write information to the Slaves.
MODBUS TCP/IP specification was introduced to MODBUS to integrate corporate intranet with PLC systems. This made the network better manageable, scalable and also cost-effective.MODBUS TCP/IP offers many advantages:

\begin{itemize}

\item\textbf{Simplicity:} The TCP is wrapped with MODBUS instruction set. The setup involves simple driver initialization at end devices to communicate. Low development cost, hardware and compatibility with many OS makes it simple.

\item\textbf{Standard Ethernet:}  Ethernet ingrates easily into simple chipsets and boards. The cost of implementing Ethernet to MODBUS is low and also provides ample resources as there are many developers are working on optimizing the technology. Ethernet port 502 is used by the MODBUS TCP/IP protocol.

\item\textbf{Open:} The MODBUS protocol has been open source since 2004 and a dedicated organization working towards develpoment,optimization and maintenance.

\item\textbf{Compatibility:} MODBUS provides interoperability among various vendors and also compatibilty with devices of other manufacturers. 

\end{itemize}

MODBUS TCP/IP is an Internet protocol. This makes the devices open to the Internet. This was a particular feature that was incorporated to facilitate better control and making device maintenance through remote systems over the internet. MODBUS is also industrial networks protocol and the industries are geographically separated. MODBUS TCP/IP helps in better management of distributed industrial systems throughout the world. 


      
  \section{Proposed System}
  
  In this work, a low interaction Mobile Honeypot mechanism to simulate industrial PLC will be designed and implemented. The design also aims at detecting attacks and making inferences about the attackers and attacks. The final version will be integrated to the HosTaGe app along with the other advanced mechanisms that HosTaGe already provides to its users.  
  As the proposed system deals with implementing a low interaction Honeypot, the challenge involves implementing only the essential components or services, that satisfy the discovery and vulnerability to attack them, for example, the network stack. Along with basic attack detection, the system must also have a short response time, robust design to withstand the attacks and also maintain a log of the exploit for further analysis and backtracking. An attempt will be made to detect attacks forged with popular identified worms like STUXNET. The conclusions on the attacks made will be pushed on to a central repository where the details of the attack are made public for users worldwide. The overlay of the proposed system, mechanisms and the evaluation are followed below. 
       
    
  \section{System Design}
  
  HosTaGe has implemented mechanisms to emulate different kind of hosts like a windows host, linux host, webserver, FTP server, SSH server and more. The simulation of industrial level SCADA based PLC will be added to the the existing list of simulated hosts and services. To simulate PLCs it is important to understand their communication and control infrastructure. PLCs have network interfaces that support Ethernet, TCP/IP, MODBUS\cite{4627171}, DeviceNet\cite{898793}, ControlNet\cite{898793}, Foundation Fieldbus\cite{1435740}. The manufacturers have their own in built shells to support FTP commands.  The Ethernet communication module of the PLC typically runs an embedded operating system that includes standard network protocol as well as implementations of industrial network protocols such as Modbus/TCP or EtherNet/IP.  Telnet and FTP servers are common and have identifying information which can be used to determine the vendor and version of software. The network components that need to be simulated in  a PLC are the TCP/IP stack, Modbus/TCP server, FTP server, Telnetd server and a HTTP web server which provides an interface to manage the functioning and control of PLC.
       
  The discovery and identification of the PLC in the network can be through a network nmap scan that reveals information about the host name, ports 21, 80 and 502(Modbus) open. 
        
  The main objective is to detect attacks made using the protocols offered by the Siemens Simati S7 200 PLC . A logging mechanism logs the information about the attacker in pursuit.  
       
       
  \subsection{Siemens SIMATIC s7 200 - Overview}

The Siemens S7 200 is a micro-programmable logic controller which can control a wide variety of devices to support various automation needs. The S7-200 monitors, inputs and changes outputs as controlled by the user program, which can include Boolean logic, counting, timing, complex math operations, and communications with other intelligent devices. It can control and communicate with devices like automatic pressure controllers, centrifuge pumps, water cooling systems. The STEP 7--Micro/WIN programming package provides a user-friendly environment to develop, edit, and monitor the logic needed to control the application that monitor devices. The Siemens Simatic S7 PLC's use PROFINET which is based on Ethernet for communication. There are over 3 million PROFINET devices deployed worldwide. 

Siemens S7 200 PLCs boasts of a compact design, powerful performance, optimum modularity and open communications. This Micro PLC has been in successful use in millions of applications around the world – in both stand-alone and net-worked solutions. 

This PLC uses communication protocols such as PROFINET, an advanced version of MODBUS communication protocol. This protocol is also based on Ethernet. It also supports TELNET, HTTP, FTP, SNMP, SMTP, MODBUS and S7 Comm protocols. Though this PLC is designed to be used to control critical systems, security was not a part of its design. The above mentioned protocols were not customized to facilitate secure communication. The standards were defined to create an interconnected environment between industrial automation devices and common networking protocols.Security was either ignored or rather was thought to be expensive on these devices. This makes it an easier target for attackers. 


The Simatic S7 PLC is also subjected to various vulnerabilities and attacks including the STUXNET as discussed earlier. We simulate the Siemens SIMATIC S7 200 PLC as our target system to attract attackers.  
      
 \subsection{Protocols}


The Siemens SIMATIC S7 supports a wide range of protocols which include MODBUS/PROFIBUS TCP, HTTP, TELNET, FTP, SNMP, SMTP and S7Comm. MODBUS TCP and S7Comm are the communication protocols and the rest of the protocols are enabled as added features.

\begin{itemize}

\item\textbf{HTTP:}The HTTP server hosts a mini web server which enables hosting the data values and sensor readings as a web page. This page can be accessed on port 80 of the PLCs IP address. 

\item\textbf{TELNET:} TELNET provides command and control to the target remote devices. It enables file system based commands and directory listing. 

\item\textbf{FTP:} FTP provides file transfer and communication between end devices. These are usually files containing sensor readings and logs.

\item\textbf{SNMP:} SNMP is responsible for monitoring and control. 

\item\textbf{SMTP:} SMPTP is mainly enabled for notification servivce in case of device failure or data inconsistency. 

\item\textbf{MODBUS/PROFIBUS TCP:} MODBUS TCP acts as a strong communication mechanism between the slaves and the master devices. It forms a backbone for industrial systems automation. The protocol is used for communication exchange between PLCs and control systems.  

\item\textbf{S7Comm:} S7comm is a  proprietery protocol from Siemens that communicates between programmable logic controllers (PLCs) of the Siemens Simatic family. 

\end{itemize}

 
	
     \subsection{Perspective}
	Make points of Adversary Perspective and Administrator Perspective

	Honeypots as stated above are active entities that capture attacks targeted at them. They must be designed carefully considering the services and vulnerabilities of the targeted system. One of the design decisions which is important //complete this part

   \section{Implementation} 

	\subsection{SCADA PLC Profiles}

SCADA ICS devices can be classified into master and slave device types based on the interaction and functionality. The master system is responsible for controlling the slaves and send them appropriate commands for a task. These systems are usually control servers or host systems connected to PLCs or slaves, that receive critical information and updates from the sensors placed on devices and PLcs. The other most imporant systems are the automation PLCs. Slave devices interact with many other devices and collectively process information to perform a task assigned by the master. When a MODBUS master wants information from a device, it sends a message that contains the device address, the data it needs and the checksum for integrity. The network is typically like a hub structure. The data is broadcasted in the network and the device from which the information was requested only responds. The slave devices cannot initiate communication and only can respond to a request made from the master. MODBUS/TCP allows multiple masters to poll the same device in parallel. A unit can be either a master or a slave but not both. 


 \begin{figure}[ht]
        \centering
        \includegraphics[scale=0.75]{Master-Slave}
        \caption[SCADA Architecture]{\label{f:SCADA Master and Slave}SCADA Master and Slave profile }
        \end{figure}

The above figure represents devices connected on the industrail LAN and the MODBUS master-slave communication. The master devices poll the slave devices and request information. The information is processed and sent back to the master. There is also possibility that a PLC acting as a master polls its data to the other devices like HMI and other PLC's in the network. 


In the past there have been attacks both internal and external on SCADA systems. Popular attacks using STUXNET, were carried out internally by deloying the malware on a host computer with the help of a USB drive. However, the malware made use of the vulnerabilities of the host system to replicate and spread through the network. Detecting such kind of attacks are very imporatant and cannot be ignored. These attacks are more dangerous than the external attacks as there are various mechanisms to detect attacks from external sites. Internal attacks have proved to be more catastrophic. We also concentrate on the slave profile. This is required as the slave devices today have Ethernet communication and can communicate with the Internet. Due to some network configuration loop holes, the device may be accessed due to the internet or the device itself may be configured to be accessed through the internet by the administrator. For example, the slave devices also run HTTP servers which can display the sensor information in the form of a webpage. This device may be configured to be accessed thorugh the internet to check and monitor the sensor readings from a external system. There is no doubt about the possibilities of attack of such systems from the internet. Thus we concentrate on simulating both the master profile, to check internal attacks and also slave profile to check external attacks. 


\subsubsection{Exploit Areas}

We discussed the architecture, features and protocols facilitated by the Siemens SIMATIC S7 200 PLC and also security concerns of ICS SCADA systems. There were many exploit areas that were discovered. The PLC was subjected to various exploits and attacks. However, large scale attacks like STUXNET were successful because of vulnerabililtes that existed on the Host controllers as well, that is, Windows OS hosts.  It made used of zero day exploits from both Windows OS and the Siemens PLCs. The attack was well designed and strategised considering vulnerabililtes on both systems. There are also small attacks like information leakage from an internet facing PLC, hosting a webserver. Over the years many vulnerabilities have been identified on the Siemens PLCs. It becomes a great challenge to make these systems secure. The PLCs have limited resources and thereby security measures like data encryption may prove expensive. Hence data encryption was avoided. This decision of ignoring secure features induced several exploits for the device. 

The Honeypot must be designed keeping all the discovered exploits inorder to be more effective in attracting the attackers. We consider both the external and internal attack approaches hereby devising strategies to capture both kind of attacks. Before we design our Honeypot, it is very important to understand the previous known attacks on PLCs, their impact and the vulnerabilities that caused those attacks. 

 \subsection{Design of HosTaGe ICS Honeypot} 

	The proposed design of HosTaGe ICS Honeypot  simulates the services offered by the Siemens SIMATIC S7 200 PLC and also the master and slave profiles in a ICS SCADA environment. HosTaGe will also simulate the protocols supported by Siemens SIMATIC S7 200. The protocols include MODBUS TCP, TELNET, FTP, SNMP, S7Comm, SMTP.


	

	\subsection {Detecting Internal Attacks}

	As discussed previously, ICS SCADA systems have master and slave profiles. Though the devices are subjected to attacks from external attacks, when made open to the internet, it is proved that major attacks in the past were triggered by systems in the internal network. Attacks from malware such as STUXNET spread from host systems in the same network. Attacks from internal systems have proved to be more effective and dangerous as they do not leave any fingerprints, also their signature cannot be identified by the anti-virus softwares and other protection tools. The STUXNET worm was reported to be injected through a USB flash drive. It made use of zero day vulnerabilities of the Windows operating system, the most popular one being how the Windows operating system handles the LNK files, which are used by the operating system to interpret devices capable of AUTORUN functionality, and to detect the software to run the file based on its format. 

An anatomy of similar kind of viruses and malware revealed that they made use of as many zero day vulnerabilities as possible to make the malware attack more effective and stealthy. Identifying such malware attacks through our Honeypot mechanism is a challenge, as it involves careful design and simulation of services involved in such attacks. To achieve this, the conditions under which such worms propagate and try to sneak into the network is studied. Analysis of the studies made by researchers (cite STUXNET: Dissecting a Cyberwarfare weapon) shows that the worm looks for (complete the rest by referring  the paper)   

As discussed above STUXNET exploits the zero day vulnerabilities on a Windows host and is dormant without it. Hence it is required to simulate atleast one of the zero day vulnerabilites. The best suited amogst the five was the propagation through the network shared drive. This service could be simulated like on a WebDav server. We could then wait for the virus to propagate itself into this simulated location. 
 
	\subsubsection{Detecting malware}

	\subsection{Detection of Multistage Attack Approach}


	\subsection{Attacks Log}
	
		
	


	\subsection{Challenges}

	

 \section{Evaluation and Results}
 	\subsection{Attack Data analysis}
	\subsection{Conpot and HosTaGe attack comparison}
	\subsection{A Review Of Vulnerabilities of Siemens S7200}
	\subsection{HosTaGe ICS - Performance Evaluation as an Android App}	
	\subsection{Observation and Analysis}


  \section{conclusion and Future Work}
 

          
      \bibliographystyle{plain}
      
      
      \bibliography{bibfile}
      
      
\end{document}